In January of 2020, Microsoft patched an NSA-reported critical vulnerability within the Windows CryptoAPI. There are plenty of resources that explain the technical details of the attack, labeled CVE-2020-0601, or “Chain of Fools/CurveBall.” However, another extremely important change involves the fact that Microsoft is now logging attempted exploitation of this CVE within the Windows Application Event Log. This has numerous positive implications for defenders. Watch this episode to learn everything you need to know.
⚠️ Update: It appears Windows 10 Version 1903 only generates events for spoofed certificates associated with binaries, not websites. More testing is required to validate these results.
SANS Webcast: Microsoft Patch Tuesday crypt32.dll Vulnerability Overview:
[ Ссылка ]
CveEventWrite Function:
[ Ссылка ]
CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability:
[ Ссылка ]
CVE-2020-0601: The ChainOfFools/Curveball Attack Explained with POC:
[ Ссылка ]
Windows Event Log - Audit-CVE (Splunk Searches):
[ Ссылка ]
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
Background Music Courtesy of Anders Enger Jensen:
[ Ссылка ]
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
CVEs in Windows Event Logs? What You Need to Know
Теги
forensicsdigital forensicsDFIRCVE 2020-0601CVE-2020-0601CVE 2020-0601 POCCVE-2020-0601 POCChain of FoolsChainOfFoolsChainOfFools attackChainOfFools vulnerabilityChainOfFools exploitCurveBall attackCurveBall vulnerabilityCurveBall exploitcrypt32.dllcrypt32CryptoAPICrypto APICveEventWriteAudit CVEAudit-CVEMicrosoft-Windows-Audit-CVEEvent ID 1Possible detection of CVEElliptic Curve vulnerabilityECC vulnerabilityNSA vulnerability
![Как работает Графика в Видеоиграх? [Branch Education на русском]](https://s2.save4k.org/pic/_j8R5vlA0ug/mqdefault.jpg)